Presentations from Smoothwall and Ampliphae at Networkshop46.
Managing Prevent duty through effective web content management - by Tom Newton, product manager, Smoothwall.
The hidden risks of SaaS and cloud applications and how to take back control - by Nigel Oakley, director of business development, Ampliphae.
3. The Prevent duty is the legal
obligation of authorities to provide
“due regard to the need to prevent
people from being drawn into
terrorism”.
Counter-Terrorism and Security Act, 2015
4. Compliance
To comply with the Prevent duty, institutions must:
● assess the risks associated with Prevent in the context of their local situation and draw up a
proportionate action plan to mitigate those risks
● have responsive, effective welfare support systems, ensuring concerns about students' wellbeing can
be acted on, linking to Prevent structures (such as local authorities or the police) if necessary
● ensure internal mechanisms and external arrangements are in place for sharing information about
vulnerable individuals when appropriate
● have systems in place for assessing and mitigating risks around external speakers and events on
campus, while maintaining the existing duty to promote freedom of speech
● ensure senior managers are engaged with the Prevent duty, build links with external Prevent partners,
and arrange ongoing Prevent training for relevant staff
● implement an IT usage policy which covers the Prevent duty
● ensure that students' unions and societies are aware of, and are consulted on, policies concerning
activities on campus.
5. Myths around the Prevent duty
Myth 1 - the Prevent duty facilitates spying
upon students
There is no reliable evidence suggesting that organisations
are interested in gathering security-related intelligence let
alone engaging in it.
The risk of being drawn into terrorism is to be treated as a
vulnerability i.e. suicide.
Higher Education Funding Council for England, 2017
6. Myths around the Prevent duty
Myth 2 - the Prevent duty requires
organisations to report students for the
expression of radical views
Nobody can lawfully be referred to a Prevent panel merely
for the expression of radical or unorthodox views, there
must be evidence of a risk of harm.
Higher Education Funding Council for England, 2017
7. Myths around the Prevent duty
Myth 3 - the Prevent duty violates basic
human rights
The Prevent duty complies with the European Convention
on Human rights, incorporated into UK law by the Human
Rights Act.
Higher Education Funding Council for England, 2017
9. What not to do
● Heavy duty filtering
● Try and do the same as schools
● Keep students from accessing useful
resources
10. What to do: Light Touch Filtering
& Visibility
Smoothwall achieves this in 5 key ways...
● Search term filtering
● Government URL databases
● Content Filtering
● Alerting
● Overview reporting
11. What to do: Search Term Filtering
● Shows intent
● Often better than looking at search
results
12. What to do: IWF & Counterterror Lists
● IWF members - block access to Illegal Child Abuse Images and Content
(CAIC)
● Integrate the CTIRU (Counter Terrorism Internet Referral Unit) list of
unlawful sites, produced on behalf of the Home Office
● First content filter to take CTIRU List
14. What to do: Content Filtering
● Useful on social networks
● Only way to see “logged in traffic”
● Only way to see what’s there in real time
15. What to do: Alerting
● Low positive false
rate
● Alerts to the correct
people
● Act before problems
occur
16. What to do: Overview Reporting
● Can be useful to evaluate prevalence of search queries and
inappropriate accesses
● A good balance with alerting is essential
18. Prerequisites
● Authentication - no filter is useful if you can’t identify users
● Coverage of BYOD - should be considered in any rollout
19. Prerequisites
● Authentication - no filter is useful if you can’t identify users
● Coverage of BYOD - should be considered in any rollout
● Responsibility - reports & alerts need action
25. Shifting Landscape
Lift and shift
Rearchitect
Innovation
‘Vendors are shifting their business
models from on-premises licensed
software to public cloud-based
offerings, this trend will continue.’
- Gartner
Applications that are lifted
and shifted to the cloud
can't take full advantage of
native cloud features - may
not be cost-effective.SaaSification
26. The SaaS Challenge
Loss of Authority
SaaS providers market direct to consumers
Self selection – Consumerisation of IT
Decentralised decision making
Loss of Control
Vendors define the architecture and
deployment
All that’s required is a browser and
connectivity!
Your data is managed by the vendor
But IT retain Accountability
Risk of security and regulatory infringement
Fewer control points, reduced visibility
Total dependence on many more vendors
27. GDPR and Compliance Risks
Privacy Rectification Erasure Access
Is the data adequately
secured and
encrypted in transit
and at rest?
Who can access the
data, who stores the
data, can the cloud
provider access it?
Is it easy to change
customer data on
request, do you know
where it is located?
Can a customer’s data
be completely
deleted under your
control?
Compliance
Can you prove that the SaaS applications your employees have
signed up to provide appropriate GDPR regulatory compliance
?
28. Cloud Adoption Lifecycle: Managed Adoption
Discovery: Evaluated by IT department as they test configurations, deployment, support processes
Understanding: Pilot with selected users who put the solution through it’s paces
Adoption: Controlled roll-out to departments and teams
Planned Commitment: In use across the organisation
Discovery Rejection Withdrawn
Uncontrolled
Adoption
Understanding Retirement
Unplanned Commitment
Adoption
Lingering
Planned Commitment
Niche
Planned
Decline
Conscious
UncouplingCriticality Threshold
Irreversibility Threshold
Discovery Threshold
Institutional
29. Cloud Adoption Lifecycle: Viral Adoption
Discovery: Adopted by a single user, who immediately invites their colleagues to join
Uncontrolled Adoption: Makes the team’s life easier, they enthusiastically adopt it
Unplanned Commitment: Integral to the business, it’s impossible to imagine life without it
Institutional
Discovery Rejection Withdrawn
Uncontrolled
Adoption
Understanding Retirement
Unplanned Commitment
Adoption
Lingering
Planned Commitment
Niche
Planned
Decline
Conscious
UncouplingCriticality Threshold
Irreversibility Threshold
Discovery Threshold
Institutional
31. Identify all the Cloud
Applications in use
within your organisation.
Understand who uses
each application, when,
where and why.
Discovery
Highlight security,
regulatory and
commercial
considerations for each
Cloud Application, and
make an appropriate
decision.
Governance
Block or optimise access
to individual Cloud
Applications.
Give your people the
information they need to
make informed
decisions.
Control
Continuously monitor for
new Cloud Applications,
and audit cost and risk.
Cost and compliance
reporting
Audit Analyse
Discover which applications your people are using
Know where your data is stored
Understand how secure it is and who can access it
Govern and manage the vendors
Control applications and activities in the
Cloud
Manage your risks and exposures
Deep insights into the
usage and adoption of
cloud applications.
Predict application
growth, identify security
threats and anomalies
Ampliphae Overview